Adapting the filter policy for guest users
The filter policy described below allows guest users to access websites in HTTP and HTTPS with URL filtering.
Two rules can be created in the wizard: one to decrypt HTTPS traffic and the other to direct such traffic to the SSL proxy so that it can be analyzed by URL filter rules and intrusion prevention processes.
- In the Filtering tab in the Configuration > Security policy > Filter - NAT module, click on New rule and select SSL inspection rule.
- Enter details about the source networks or hosts (From column - guests_network in the example), the destination (To column - Internet in the example) and the destination port (HTTPS in the example). Confirm by clicking on Finish.
- Double click on the source of the rule that redirects to the SSL proxy. In the User field, select Any user@guest_users.local.domain.
- In the Advanced properties tab, select Guest as the Authentication method.
- In Port / Protocol, select Application protocol for the Protocol type field, then HTTP for the Application protocol.
- In Inspection, select the URL filter profile to apply (URLFilter_00 in the example),
- Confirm by clicking on OK.
- In the Filtering tab in the Configuration > Security policy > Filter - NAT module, click on New rule and select Authentication rule.
- In the wizard, enter the source networks or hosts (From field - guests_network in the example) and the destination (To field - Internet in the example) for which unauthenticated users will be redirected to the captive portal.
- Confirm by clicking on Finish. This rule selects the HTTP port as the default destination port.
- To add the HTTPS port to it, double click on the Dest. port field in this rule. In the Destination port field in the window where rules are edited, add the HTTPS port. Confirm by clicking on OK.
- Using the Up and Down arrows, position this rule between the SSL decryption rule and the SSL proxy redirection rule.
- In the Filtering tab in the Configuration > Security policy > Filter - NAT module, click on New rule and select Simple rule.
- In the Status column, double-click on Off to enable the rule (the status of the rule becomes On).
- In the Action column, double-click on block then select the value pass for the Action field: Select the desired log level for connections that match this rule; log (filter log) makes it possible to view events relating to the connections of guest users in connection logs, for example.
- In the Source section located to the left of the rule editing window, assign the following values to the various fields:
- User: select Any user@guest_users.local.domain.
- Source hosts: select the guest user network.
Advanced properties tab
- Authentication method: select the Guest method
- In the Destination section, select the Internet object for the Destination hosts field.
- In the Port - Protocol section, select the HTTP object for the Destination port field.
- In Inspection, leave the IPS mode suggested by default and select the URL filter profile to apply (URLFilter_00 in the example), This profile can be customized in the Configuration > Security policy > URL filtering module.
The filter policy regarding guest users will therefore resemble the following: